From 431fda0deda433186c5ea5740e2a2b120d2c1a14 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Tue, 17 Mar 2026 17:49:30 +0100
Subject: handle access denied exception correctly and don't duplicate redirect
 to login...

Closes #6375

Merge request studip/studip!4836
---
 lib/functions.php                               |  2 +-
 lib/middleware/HandleAccessDeniedMiddleware.php | 22 +++++++---------------
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/lib/functions.php b/lib/functions.php
index df63256..6621014 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1129,7 +1129,7 @@ function studip_default_exception_handler($exception) {
         $status = 403;
         $template = 'check_object_exception';
     } elseif ($exception instanceof LoginException) {
-        $_SESSION['redirect_after_login'] ??= Request::url();
+        $_SESSION['redirect_after_login'] = Request::url();
         sess()->save();
         header('Location: ' . URLHelper::getScriptURL('dispatch.php/login'));
         exit;
diff --git a/lib/middleware/HandleAccessDeniedMiddleware.php b/lib/middleware/HandleAccessDeniedMiddleware.php
index 567eca8..829b516 100644
--- a/lib/middleware/HandleAccessDeniedMiddleware.php
+++ b/lib/middleware/HandleAccessDeniedMiddleware.php
@@ -2,33 +2,25 @@
 namespace Studip\Middleware;
 
 use AccessDeniedException;
+use LoginException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
-use Psr\Http\Message\ResponseFactoryInterface;
-use Request;
-use URLHelper;
+use User;
 
 final class HandleAccessDeniedMiddleware implements MiddlewareInterface
 {
-    public function __construct(
-        private readonly ResponseFactoryInterface $responseFactory
-    ) {
-    }
-
-    /**
-     * @SuppressWarnings(StaticAccess)
-     * @SuppressWarnings(SuperGlobals)
-     */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
         try {
             return $handler->handle($request);
         } catch (AccessDeniedException $ade) {
-            $_SESSION['redirect_after_login'] ??= Request::url();
-            return $this->responseFactory->createResponse(302)
-                ->withHeader('Location', URLHelper::getURL('dispatch.php/login'));
+            if (!User::findCurrent()) {
+                throw new LoginException();
+            }
+
+            throw $ade;
         }
     }
 }
-- 
cgit v1.0